Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.8.0
-
None
-
None
Description
Load balancing fails when we construct a secure cluster with wildcard certs.
For example, assume that we have a valid wildcard cert for *.example.com and a cluster consists of nf1.example.com, nf2.example.com, and nf3.example.com . We cannot transfer a FlowFile between nodes for load balancing because of the following authorization error:
2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client ID's [*.example.com] to Load Balance data because none of the ID's are known Cluster Node Identifiers 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer /xxx.xxx.xxx.xxx:xxxxx org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: Client ID's [*.example.com] are not authorized to Load Balance data at org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65) at org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142) at org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
This problem occurs because in authorize method in ClusterLoadBalanceAuthorizer class, authorization is tried by just matching strings.
Attachments
Issue Links
- links to